back to article After six days and thousands of pwned users, Cisco poised to patch IOS XE flaw

On Friday, Cisco released more details about the critical zero-day bug it disclosed on Monday, and said it hopes to have a fix available to customers beginning Sunday. "Through ongoing investigation, we uncovered the attacker combined two vulnerabilities to bypass security measures (the first for initial access and the second …

  1. Paul Crawford Silver badge

    Forgive me for asking, but do CISCO devices have the internet-facing (WAN side) web interface on by default. or are people deliberately configuring it that way for some sort of remote access "convenience"?

    I would assume you should always VPN in if external, and then admin from the internal (LAN side), so at least two access tokens/passwords needed.

    1. Anonymous Coward
      Anonymous Coward

      No, they don't even load by it default

      And it's not considered good practice to enable them on a public ip. The glaring exception would be hosted routers where the hosting company has also loaded an accurate and effective ACL limiting the scope of access to their own systems. There are TOO MANY cases where those restrictions weren't applied, especially for CPE for peoples internet access.

      I can remember conversations about whole European ISPs that left the port wide open an used an easy to guess username and password in years gone by.

      If you have to do something similar yourself, limit access to SSH only, lock it by IP and to preshared ssh keys and disable password only auth, and make your internal team map the HTTP/S ports over their SSH tunnel if they need web access.

      Even loading the interface on the private side could expose you to a reflection attack from your local network, so an attacker is only a evil link away. I'd kill it off till a fix is available, and only re-enable it after a review of the access restrictions. Sadly, not in your control for CPE/managed routers and possibly not even visible to you as the subscriber. You may be able to tease info out of CDP or the serial console port even on a locked down router though, and then cane the support of your provider till they provide evidence the config is secure.

      Easier for me to say as only one of my three ISP has replied so far.

  2. Anonymous Coward
    Anonymous Coward

    Hobby-Admin (not CCNA certified)

    For managing the Draytec at Grandma's place I use a LAN-to-LAN (L2TP) VPN, and dial-up VPN for both. Cannot say for CISCO, but Draytec has WAN access enabled by default - just turn off the checkbox. MacOS and iPad have L2TP VPN built in, no need for an App, even Windows can connect with security level MEDIUM, Windows 11 VPN does not support strong encryption (HIGH setting, macOS does).

    Yes, Draytec had a HTTP vuln as well - but I always had WAN access disabled.

    LAN-to-LAN is neat, can check the IP camera and the VPN self activates, idle=500 secs (pull down).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like